An ocean of risk? Managing new cyber threats from MLC amendments
July 28, 2022 Maritime Safety News
Seafarers have won the right to mandatory internet access while at sea, under an update to the Maritime Labour Convention 2006 (MLC) agreed in May. What this will mean in practice will not become clear any time soon; shipowners are under no obligation to provide the service for free and coverage will vary according to location and business priority.
What is in no doubt is that shipowners will have to increase their investment in cyber security and training, now that seafarers can – at least in theory – demand access to the internet using personal devices and ships’ equipment.
Capt. Kuba Szymanski, Secretary General of shipmanagers association InterManager also welcomed the change. While noting that many third party and in-house managers already provide shipboard internet access, he warned the devil may be in the detail.
“Seafarers have the right to access but do they have coverage in the locations they are sailing? Busy routes will have a good level of coverage, quieter routes probably much less,” he points out. Until now, owners and managers have worked to a ‘best practice’ standard and the remainder will have no choice but to catch-up and there should be no exceptions. “Seafarers are no different to any other workers “and we don’t ask for special treatment, just equitable treatment,” he added.
The increase in access and traffic via satellite comes at a time when warnings are increasing of the potential for hackers to target the maritime sector in a bid to disrupt global trade.
Rear Admiral Wayne Arguin, the US Coast Guard’s assistant commandant for prevention policy, recently told Bloomberg News that shipping faces cyber risks similar to those in other industries but that the stakes are so much higher given the volume of global trade that moves by sea. While Arguin declined to put a number on the frequency of attempted attacks, he said “I feel very confident that every day networks are being tested, which really reinforces the need to have a plan.
“A potential intentional attack could really stress the system and we’re certainly thinking about how to shore that up,” Arguin said. “When you couple that with the sensitivity of supply-chain disruptions, it does have the potential to be devastating to the marine transportation system.”
Maritime risk consultant Rahul Khanna told Bloomberg there is “huge underreporting” when ships are attacked and “the ones who say they haven’t been, just don’t know about it.”
Across industry and government, there’s agreement that information sharing needs to increase. “Everybody needs to be all-in in this game and understand when there are vulnerabilities – getting that information out quickly is going to be thing that continues to help us close doors,” Arguin added. Remember too that the US delegation to the IMO was one of the prime movers behind the IMO2021 cyber amendments to the ISM Code, so further regulatory tightening seems likely.
Shipowners operating in European waters and calling ports in the European Union will have little choice but to pay more attention to cyber security and take action to secure their assets. Owners and port operators will soon be subject to the European Union’s updated Network and Information Security (NIS) directive which will apply to companies involved in freight and passenger transport in the EU, along its coasts routes and inland.
In readying for compliance with the amended MLC, shipowners need to assess and prepare for five threat vectors – systems and software, unprotected operational technology, infected devices, social engineering and operational safety.
For those vessels operating on legacy systems or even only using the mandatory GMDSS service, the change could be dramatic. Ships are at risk from infection from hackers scanning for vulnerable operating systems and data streams from Operational Technology onboard needs to be assessed and understood. Personal devices brought onboard may need to be subject to quarantine and permitted applications but crew also need to be protected from ‘Social Engineering’ scams that exploit loneliness.
Always-on internet connectivity transforms a ship from an asset with regular but limited internet access to the world of interactive, constantly updated internet and social content. That creates risks for which many vessel operators may simply be unprepared. Marlink views the amendment of MLC as a positive benefit for seafarers, but we believe that the risks to personal and operational safety must be carefully considered too, and managed through awareness/training as well organisational, technical and operational measures.